Make Macports use HTTPS (SSL/TLS) to fetch packages

By default, Macports uses HTTP to fetch packages. For example:

--->  Attempting to fetch port_cutleaves-0.1.4_0.darwin_10.noarch.tbz2 from http://lil.fr.packages.macports.org/port_cutleaves

How should a user configure Macports to use HTTPS (SSL/TLS) instead?

Solution 1:

The obvious solution would be to modify the source URLs for the packages. The source URLs for a lot of packages appears to be /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/_resources/port1.0/fetch/mirror_sites.tcl.

Having said that, I'm not sure whether it is a good idea to modify that file.

If you do a selfupdate your modified file will be replaced.

Also not all the mirrors are set up correctly to work with HTTPS. For example, the mirror in your example above http://lil.fr.packages.macports.org/ presents an error if you try to access it at https://lil.fr.packages.macports.org/ because the host name of the certificate doesn't match.

Solution 2:

Why would you want to? If you're worried about the integrity of the downloads, you should know that MacPorts will also download and verify a detached RSA signature for each binary archive it downloads – the public key used for verification comes to your local machine using a tamper-resistant path (either an installer .pkg signed with a DeveloperID certificate, or – in case of key updates – signed with the old key).

For distfiles (i.e. source tarballs of software MacPorts wants to build), multiple checksums stored in the Portfile need to match for MacPorts to accept the download as authentic. The Portfiles also come to your machine using a tamper-resistant path.

Replying to your original question: You don't, the mirror infrastructure doesn't support it.